Python/Powershell Incident Response Class
Nowadays most of the windows-based attacks are happening around PowerShell. As an Incident Responders, you should know your way around PowerShell especially on how the attackers can leverage PowerShell in various ways within the attack lifecycle. The aim of this article is to give a glimpse of different techniques in the PowerShell arsenal which can aid responders in hunting activities. This course focus is on battling the much maligned Advanced Persistent Threat (APT). This course is up to date with the latest forensics techniques. Incident management is an often-debated, frequently misunderstood topic that can quickly befuddle even the most advanced security teams. So to clear things up, we took “lessons learned” from successes and failures over the years. And while it may not answer every question you may have about modern incident response, we hope that it sets the wheels in motion for something better than what you have today.
|Contact Hours:||41hr Lecture 31 hr labs|
|Prerequisites:||Understanding of TCP/IP Protocols|
|Credits:||72 CPE / 3 CEU|
|Method of Delivery:||Residential (face-to-face) or Hybrid|
|Method of Evaluation:||95 % attendance 2. 100 % completion of Lab|
|Grading:||Pass = Attendance+ labs & quizzes Fail > 95% Attendance|
This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.
Class Materials – SU class textbook, Labs and resources CD
- Students will be able to write a script in powershell.
- Students will be able to describe how to use powershell to write various risk incident and analysis methodologies.
- Students will be able to evaluate and categorize risk using powershell incident response
- Text Materials: labs, SU Pen Testing Materials, resource CD’s and attack handouts -Machines a Dual Core 486M Ram, 1TGig drives, running MS OS, linux, and VMWare Workstation.
Did you hear about North Korea hacking Sony Pictures? Or about Stuxnet, one of the most sophisticated APT affecting nuclear plants in Iran? This exciting certification will require clearing CMSD first to be able to start learning how to dissect nation-state-sponsored attacks! You will learn techniques to dynamically instrument binaries during execution with PinTool, or how to create Immunity Debugger plugins to hook malicious APIs. You will have the chance to understand and practice how to dissect the most sophisticated APT in our era, The Equation Group and see how they are able to hide their presence within hard drives by reprogramming the firmware!
Learning Objectives -
You will learn techniques to dynamically instrument binaries during execution with PinTool, or how to create Immunity Debugger plugins to hook malicious APIs. You will have the chance to understand and practice how to dissect the most sophisticated APT in our era, The Equation Group and see how they are able to hide their presence within hard drives by reprogramming the firmware! This course is a enrichment style lab immersion concept:
This class has recently been retooled to focus on battling the much maligned Advanced Persistent Threat (APT). The class motto is "APT is in your network, start hunting". The APT focus makes it 100% relevant to not just forensic investigators, but to anyone wanting to learn to defend their network. The Material - this course is a smorgasbord of valuable skills and information for incident responders, system administrators, and forensicators alike.
Lesson 1- 11 hr lab and 4 lecture
Class covers the physical layers of the file system (from the physical platters to the file name layer that contains file names and a directory structure), and how to properly mount images for analysis (e.g. read only). Just when you think the first day couldn't cover any more information the class jumps into the exciting world of Enterprise Analysis and Live System Incident Response (my favorite!!). This portion teaches students about domain authentication, how to secure domain administrator credentials, and many methods of accessing system information on remote of hosts (Many of my future blog posts will revolve around utilizing PowerShell for "Live System 'Enterprise' Incident Response" for lack of a better term).
Lesson 2 – 10 hr labs 4 hr lecture
The second day is spent covering memory forensics. Memory Forensics covers the details of memory (memory structures and such), and how to implement memory forensics TODAY. Students will learn how to acquire memory, as well as, how to provide in depth analysis of the memory once acquired. Memory forensics is absolutely necessary when combating APT as it is one of the best, if not only, methods to detect rootkits. The best part of lesson 2 is that it doesn't focus on one method of analyzing memory. We spend the time to teach students the pros and cons to different tools, and even different methods of using the same tool.
Lesson 3 - 10 hrs labs and 4 hr lecture
is dedicated to timeline analysis. No one should be considered a forensicator or incident responder if they do not have an intimate knowledge of timeline analysis (Specifically using log2timeline). Log2timeline came out of a GCFA Gold Paper written by Kristinn Guðjónsson, and the community has never looked back. Log2timeline is really a cultural shift in the way we perform investigations, as it aggregates almost every forensic artifact into one timeline that truly tells the story of actions taken on a machine. We will interpret a specific artifact, then you lose fidelity in your timeline (possibly the opportunity to spot malicious activity).
Lesson 4 and 5 - 21 hr labs and 6 hr lecture
begin with XP Restore Point and Volume Shadow Copy analysis which can be harnessed for some really cool stuff. We can use these snapshots to add fidelity and depth to our timeline, and we can use them to recover deleted files. Then deep dive forensics (This is where the class dives into the weeds of file system analysis). The class dives into $MFT analysis which introduces us to a second set of timestamps ($STDINFO), and new artifacts like the NTFS TriForce (David Cowen's baby). These artifacts are presented in this class –and we wraps up with methods and techniques of finding unknown malware. Assuming anti-virus fails to detect a threat, what are some methods we can use for detection? This class end introduces and spends half a day discussing the concept of malware funneling which is the process of reducing data through a series of automated tasks until you have a small enough data set that you can perform manual analysis.
After the lesson students spend the rest of the lesson in the lab as a team exercise. The team investigates a set of hosts that were part of an intrusion, however this is not your normal everyday exercise....this is where it gets interesting!
This course is developed around an "as real as it gets" scenario. The scenario is about an R&D firm that makes a great discovery, only to be hacked by APT. Students are given four hosts to conduct forensic investigations to determine what happened. Questions like the initial infection vector, when the initial infection occurred, what data was lost, and the current state of the network can be answered.
When we talk about this lab it is important to understand the level of detail used to create this virtual network. Not only did the network have 100s of hosts and 1000s of users, we ensure this network was as real looking as possible. We hired a professional Red Team and trained them up to act like APT, he hired domain architects to build the domain in a professional/secure manner, and he even loaded the systems with some of the latest security tools. You will not find a lab this extensive anywhere else!
Overall: All in all this course is so relevant and so practical that there is no reason not to put this one on your wishlist. If you are serious about finding bad guys in your network, cause lets face it they are there, then this course has your name on it
Exam: Live NetWars. Following along with the labs we created a forensic version of NetWars which tests students on basic forensic artifacts, timeline, registry, file system, and memory analysis. Anyone that has participated in NetWars will agree that it is terrific learning environment and is worth the investment of time. This exam is a capture the flag pass or fail.